MLA Guide to Protecting Personal Information A Guide to Part IV of FOIP for Members of the Legislative Assembly and their Offices July 2024
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 1 MLA Guide to Protecting Personal Information DISCLAIMER: This document is not intended to provide legal advice and is provided for informational use only. A Guide to Part IV of FOIP for Members of the Legislative Assembly and their Offices As of January 1, 2018, offices of Members of the Legislative Assembly (MLAs) and their employees are subject to most of Part IV of The Freedom of Information and Protection of Privacy Act (FOIP). In this document, they will be referred to as “MLA offices.” Subsection 3(3) of FOIP provides: 3(3) Subject to the regulations, the following sections apply, with any necessary modification, to offices of members of the Assembly and their employees as if the members and their offices were government institutions: (a) sections 24 to 30; (b) section 33. Constituents often entrust MLA offices with personal information. Part IV gives the citizen certain rights of protection and imposes obligations on MLA offices. As a result, MLA offices must take steps to protect personal information. The only sections in Part IV that do not apply to MLA offices are sections 31 and 32. Section 31 deals with a person’s right to access that person’s personal information. Section 32 deals with a person’s right to a correction of personal information. Please note that Members of the Executive Council and their offices (Ministers’ offices) are also subject to certain provisions in Part IV of FOIP. For more information, see our office’s resource: A Ministers’ Guide to Protecting Personal Information.
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 2 What is Personal Information? For a full definition of what is considered personal information, see subsection 24(1) of FOIP. However, subsection 24(1) of FOIP is not an exhaustive list. Generally, in order to be considered personal information, the information must be: • About an identifiable individual. • Be information that is personal in nature. Some of the examples listed at subsection 24(1) of FOIP include (not exhaustive): • An individual’s race, creed, religion, colour, sex, sexual orientation, family status or marital status, disability, age, nationality, ancestry or place of origin. • The personal opinions or views of the individual except where they are about another individual. • The views or opinions of another individual with respect to the individual. • Information that relates to the education or the criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved. • The name of an individual where it appears with other personal information that relates to the individual or the name itself where it reveals personal information about the individual. See also the Guide to FOIP, Chapter 6, “Protection of Privacy” for more on what constitutes personal information under FOIP starting at page 30. What is Collection of Personal Information? Collection means to bring or come together; assemble; accumulate; obtain personal information from any source by any means. Constituents regularly consult MLA offices on problems and issues they have with government and/or the health system. In that process of asking for help, they may provide documents or give verbal information that is documented, which contains considerable sensitive personal information. This is an example of a collection.
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 3 Before collecting any personal information, the MLA office should pause and assess the purpose for collecting this information; and determine whether this information is necessary for such a purpose. Section 25 of FOIP provides: 25 No government institution shall collect personal information unless the information is collected for a purpose that relates to an existing or proposed program or activity of the government institution. It is important that the MLA office consider the purpose for collecting personal information. In most cases, it is going to be information required to solve the problem that the citizen has. MLA offices should also keep in mind the data minimization principle and only collect specific personal information that is required for the identified purposes. For example, consider which information and documents that may not be needed such as tax returns, doctor’s reports, financial statements, laboratory tests and non-relevant correspondence. When an MLA or a constituency assistant speaks with a citizen, have the citizen consent to the collection of personal information. For more information on consent, please see below. Once an MLA office collects personal information, it is up to the MLA office to protect the personal information. For more information, see What is my duty to protect? Below. Furthermore, section 26 requires MLA offices to collect personal information directly from the subject individual, except in the circumstances listed in subsections 26(1)(a) to (h) of FOIP. For more on collection and what FOIP requires in this regard, see the Guide to FOIP, Chapter 6, “Protection of Privacy” starting at page 125. What is Use of Personal Information? Use indicates internal utilization of personal information by the MLA office and includes the sharing of the personal information in such a way that it remains under the control of the MLA office.
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 4 Section 27 of FOIP requires that MLA offices take reasonable measures to ensure the personal information used is as accurate and complete as possible. Section 28 of FOIP provides: 28 No government institution shall use personal information under its control without the consent, given in the prescribed manner, of the individual to whom the information relates, except: (a) for the purpose for which the information was obtained or compiled, or for a use that is consistent with that purpose; or (b) for a purpose for which the information may be disclosed to the government institution pursuant to subsection 29(2). MLA offices may use personal information in three circumstances: 1) If it has the consent of the subject individual. See the section on consent below. 2) For the purpose it was collected or a use consistent with that purpose. As mentioned in the section on the collection of personal information, MLA offices must have identified an authorized purpose for collecting personal information before it is collected. 3) In circumstances described in subsection 29(2) of FOIP or The Freedom of Information and Protection of Privacy Regulations (FOIP Regulations). For more on use and what FOIP requires in this regard, see the Guide to FOIP, Chapter 6, “Protection of Privacy” starting at page 172. What is Disclosure of Personal Information? Disclosure is the sharing of personal information with a separate entity, not a division or branch of the MLA office in possession or control of that information. Subsection 29(1) of FOIP provides: 29(1) No government institution shall disclose personal information in its possession or under its control without the consent, given in the prescribed manner, of the individual to whom the information relates except in accordance with this section or section 30.
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 5 MLA offices may disclose personal information in three circumstances: 1) If it has the consent of the subject individual. See the section on consent below. 2) For the purpose it was collected or a use consistent with that purpose. As mentioned in the section on the collection of personal information, MLA offices must have identified an authorized purpose for collecting personal information before it is collected. (See subsection 29(2)(a) of FOIP.) 3) In circumstances described in subsections 29(2), section 30 of FOIP or the FOIP Regulations. Disclosure of personal information for any other purpose may be an unauthorized disclosure. Sharing personal information between different MLA offices or with a Ministers’ office would constitute a disclosure of personal information and must be authorized by the individual’s consent, sections 29 or 30 of FOIP or the FOIP Regulations. For more on disclosure and what FOIP requires in this regard, see the Guide to FOIP, Chapter 6, “Protection of Privacy” starting at page 184. What should I do if there has been an Unauthorized Collection, Use or Disclosure of Personal Information? An unauthorized collection, use or disclosure of personal information is a privacy breach. For more information on how to investigate a privacy breach, see the Office of the Information and Privacy Commissioner’s (IPC) resource: Privacy Breach Guidelines for Government Institutions and Local Authorities. In instances where there is an unauthorized use or disclosure in an MLA office, there may be an obligation to report that unauthorized use or disclosure to the person (affected individual) whose personal information was used or disclosed. Section 29.1 of FOIP provides as follows: 29.1 A government institution shall take all reasonable steps to notify an individual of an unauthorized use or disclosure of that individual’s personal information by the government institution if it is reasonable in the circumstances to believe that the incident creates a real risk of significant harm to the individual.
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 6 It should be noted that this section becomes active where it is believed the breach “creates a real risk of significant harm.” For further information, see IPC blog Real Risk of Significant Harm. In addition, see pages 268 to 271 of the Guide to FOIP, Chapter 6, “Protection of Privacy” for more on section 29.1 of FOIP. Furthermore, the IPC can investigate privacy concerns related to MLA offices. This occurs most often when a citizen brings a concern to the Commissioner. Section 33 of FOIP provides: 33 The commissioner may: (a) offer comment on the implications for privacy protection of proposed legislative schemes or government programs; (b) after hearing the head, recommend that a government institution: (i) cease or modify a specified practice of collecting, using or disclosing information that contravenes this Act; and (ii) destroy collections of personal information that is collected in contravention of this Act; (c) in appropriate circumstances, authorize the collection of personal information in a manner other than directly from the individual to whom it relates; (d) from time to time, carry out investigations with respect to personal information in the possession or under the control of government institutions to ensure compliance with this Part. For more information about the IPC’s investigation process, please see Privacy Breach Guidelines for Government Institutions and Local Authorities and the Rules of Procedures. What is my Duty to Protect? Section 24.1 of FOIP imposes a duty on MLA offices to protect personal information in its possession or control. It requires that MLA offices have administrative, technical and physical safeguards in place to protect personal information.
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 7 Section 24.1 of FOIP provides: 24.1 Subject to the regulations, a government institution shall establish policies and procedures to maintain administrative, technical and physical safeguards that: (a) protect the integrity, accuracy and confidentiality of the personal information in its possession or under its control; (b) protect against any reasonably anticipated: (i) threat or hazard to the security or integrity of the personal information in its possession or under its control; (ii) loss of the personal information in its possession or under its control; or (iii) unauthorized access to or use, disclosure or modification of the personal information in its possession or under its control; and (c) otherwise ensure compliance with this Act by its employees. Administrative safeguards are controls that focus on internal organizations, policies, procedures and maintenance of security measures that protect personal information. Examples include written policies and procedures, annual training for employees, confidentiality agreements, agreements with information management service providers (IMSP), auditing programs, records retention and destruction schedules and access restrictions. Technical Safeguards are the technology and the policy and procedures for its use that protect personal information and control access to it. Examples include separate user identifications, passwords, firewalls, identification and authentication controls, virus scanners and audit capabilities in digital systems. Physical Safeguards are physical measures, policies, and procedures to protect personal information and related buildings and equipment, from unauthorized intrusion and natural and environmental hazards. Examples include locked filing cabinets, offices and storage rooms, alarm systems and clean desk approaches. Note that personal information in the possession or control of MLA offices can exist in different types of records such as: • Hard copy: physical representations of data, such as paper. This includes, among other things, notes, memos, messages, correspondence, transaction records and reports.
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 8 • Electronic copy: information stored on electronic media, such as computer hard drives, copier and printer hard drives, removable solid drives including memory, disks and USB flash drives and mobile phones. This also includes information stored in the cloud. Examples are e-mails, text messages and other electronic documents. For more on these three types of safeguards and things to consider, see the Guide to FOIP, Chapter 6, “Protection of Privacy” starting at page 89. Subsection 24.1(a) of FOIP Subsection 24.1(a) of FOIP indicates that an MLA office must protect the integrity, accuracy and confidentiality of the personal information in its possession or under its control. Integrity refers to the condition of information being whole or complete; not modified, deleted or corrupted. Confidentiality implies a trust relationship between the person supplying information and the individual or organization collecting or using it. The relationship is built on the assurance that the information will only be used by or disclosed to authorized persons or to others with the individual’s permission. Protecting the confidentiality of personal information implies that individually identifying personal information is concealed from all but authorized parties. For more on subsection 24.1(a) of FOIP, see the Guide to FOIP, Chapter 6, “Protection of Privacy” starting at page 107. Subsection 24.1(b) of FOIP Subsection 24.1(b) of FOIP indicates that an MLA office must protect against any reasonably anticipated: • threat or hazard to the security or integrity of the personal information in its possession or under its control; • loss of the personal information in its possession or under its control; or • unauthorized access to or use, disclosure or modification of the personal information
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 9 in its possession or under its control. Reasonably Anticipated: Reasonable means what a reasonable person would consider appropriate in the circumstances. This standard acknowledges that reasonable does not mean ‘perfect’. Anticipated means to be aware of (a future event) and take action; regard as probable; look forward to; to act or happen before. Threat means the possibility of trouble or danger. Hazard means a danger or risk. Security means a condition of safety or freedom from fear or danger. In the context of personal information, it refers to the physical, technological, or administrative arrangements that persons or organizations use to prevent individually identifying personal information from being altered, lost, or disclosed without authority. Integrity refers to the condition of information being whole or complete; not modified, deleted, or corrupted. Unauthorized access occurs when individuals access personal information that they do not need-to-know, either by accident or on purpose. This would also qualify as either an unauthorized use or unauthorized disclosure depending on the circumstances. Need-to-know is the principle that an office should only collect, use or disclose personal information needed for authorized purposes. Personal information should only be available to those employees in an organization that have a legitimate need-to-know that information for fulfilling the purpose for which it was collected. For more on subsection 24.1(b) of FOIP, see the Guide to FOIP, Chapter 6, “Protection of Privacy” starting at page 109.
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 10 Subsection 24.1(c) of FOIP Subsection 24.1(c) of FOIP indicates that an MLA office should have education programs in place for their employees. In this case, training which addresses the MLA office’s duties under FOIP, the safeguards the office has established, the need-to-know and consequences for violating FOIP is best practice. Further, the IPC has indicated that annual training is also best practice. For more on subsection 24.1(c) of FOIP, see the Guide to FOIP, Chapter 6, “Protection of Privacy” starting at page 116. Information Management Service Providers (IMSP) IMSP is defined in subsection 2(1)(e.1) of FOIP as follows: 2(1) In this Act: … (e.1)“information management service provider” means a person who or body that: (i) processes, stores, archives or destroys records of a government institution containing personal information; or (ii) provides information management or information technology services to a government institution with respect to records of the government institution containing personal information; Any time an MLA office engages an IMSP to provide service, it is necessary to consider section 24.2 of FOIP. This will mainly arise when an MLA office contracts with a technology company to maintain computers or with a company that will destroy files. Subsection 24.2(1) provides: 24.2(1) A government institution may provide personal information to an information management service provider for the purposes of: (a) having the information management service provider process, store, archive or destroy the personal information for the government institution;
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 11 (b) enabling the information management service provider to provide the government institution with information management or information technology services; (c) having the information management service provider take possession or control of the personal information; (d) combining records containing personal information; or (e) providing consulting services. Where an MLA office engages an IMSP, it is necessary to enter into a written agreement. Subsections 24.2(2) and (3) provide: 24.2(2) Before disclosing personal information to an information management service provider, a government institution shall enter into a written agreement with the information management service provider that: (a) governs the access to and use, disclosure, storage, archiving, modification and destruction of the personal information; (b) provides for the protection of the personal information; and (c) meets the requirements of this Act and the regulations. (3) An information management service provider shall not obtain access to, use, disclose, process, store, archive, modify or destroy personal information received from a government institution except for the purposes set out in subsection (1). See the IPC’s resource entitled, Best Practice for Information Sharing Agreements. For more on subsection 24.2 of FOIP and the use of IMSPs, see the Guide to FOIP, Chapter 6, “Protection of Privacy” starting at page 118. Retention and Destruction of Personal Information Unlike Ministerial records, there are no statutory requirements for MLAs to transfer records to the Saskatchewan Archives Board, as they are personal property and not subject to The Archives and Public Records Management Act. Therefore, these records may be disposed of as each MLA sees fit. For information on the Provincial Archives of Saskatchewan, see www.saskarchives.com.
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 12 It is a best practice to develop a records classification or records keeping system for MLA offices to ensure that all of the personal information that has been collected is accounted for. Once a record classification is in place, it is also important to have a record destruction schedule in place. The longer personal information is kept, the longer there is a risk of a privacy breach. MLA offices may consider destroying personal information of citizens as soon as it is no longer required for the purpose for which it has been collected. MLA offices may need to keep employee personal information longer than personal information of a citizen. It is also best practice to have a copy of a record destruction schedule available for interested citizens. Once a record destruction schedule is in place, MLA offices must take care to dispose of personal information in a secure manner. It is not best practice to simply throw it in the trash as a privacy breach may result. There are a number of commonly accepted ways for MLA offices to properly dispose of personal information depending on the form in which it is being stored. The goal is to irreversibly destroy the media, which contains personal information so that this information cannot be reconstructed or recovered in any way. When going through the process of disposal, an MLA office should also destroy all associated copies and backup files. In instances where an MLA is planning a move, or is closing the constituency office, personal information should be securely transferred or safely disposed of. MLA offices should obtain written consent from the individual before transferring the records to another MLA, which would constitute a disclosure of personal information. What is Required to Obtain the Consent to Collect, Use and Disclose Personal Information? Section 18 of the FOIP Regulations describes the standard of consent when consent is required for the collection, use and disclosure of personal information. Section 18 of the FOIP Regulations provides: 18(1) If consent is required by the Act for the collection, use or disclosure of personal information, the consent: (a) must relate to the purpose for which the information is required; (b) must be informed;
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 13 (c) must be given voluntarily; and (d) must not be obtained through misrepresentation, fraud or coercion. (2) A consent to the collection, use or disclosure of personal information is informed if the individual who gives the consent is provided with the information that a reasonable person in the same circumstances would require in order to make a decision about the collection, use or disclosure of personal information. (3) A consent may be given that is effective for a limited period. (4) A consent may be express or implied unless otherwise provided. (5) An express consent need not be in writing. (6) A government institution, other than the government institution that obtained the consent, may act in accordance with an express consent in writing or a record of an express consent having been given without verifying that the consent meets the requirements of subsection (1) unless the government institution that intends to act has reason to believe that the consent does not meet those requirements Where consent is required it must: • Relate to the purpose for which the information is required. • Be informed. • Be given voluntarily. • Not be obtained through misrepresentation, fraud or coercion. It is also important to note that: • A consent may be given that is effective for a limited period of time. • Consent may be express or implied unless otherwise provided. • An express consent need not be in writing. Express consent is informed and voluntary. Consent is informed when the individual knows the purpose for the collection, use and/or disclosure, that they can withhold or revoke their consent and the consequences of doing so. A consent is also revocable. The following form has been developed for the use of MLA offices when collecting, using and/or disclosing personal information: MLA Consent form.
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 14 For more information on consent, see the IPC’s resource: Best Practices for Gathering Informed Consent and the Content of Consent Forms. For more on consent requirements, see the Guide to FOIP, Chapter 6, “Protection of Privacy” starting at page 25. Common Safeguards Required for Compliance with Part IV of FOIP MLA offices should consider the following safeguards: • Does the office have a policy relating to the collection, use, disclosure and safeguarding of personal information? • Have the employees in the office received privacy training? Training should include: o What is FOIP. o What is personal information. o What is a collection. A use. A disclosure. o What are best practices for the collection, use and disclosure of personal information. o What administrative, physical and technical safeguards are in place to protect personal information. o How to identify the purpose of collecting personal information. o What is consent. When is consent required. How do you obtain consent. o When and how should personal information be destroyed. • Is there a record classification system? • Is there a record destruction schedule? Does it outline how personal information should be destroyed? • Is there a policy regarding the use of personal email to conduct constituency business which involves personal information? • Has each employee in the office signed a confidentiality statement or agreement?
Office of the Saskatchewan Information and Privacy Commissioner. MLA Guide to Protecting Personal Information. Effective April 2018. Updated 9 July 2024. 15 Contact Information If you have any questions or concerns, please contact us: 306-787-8350 | toll free 1-877-748-2298 503 – 1801 Hamilton Street | Regina SK S4P 4B4 intake@oipc.sk.ca| www.oipc.sk.ca | @SaskIPC | Linkedin
RkJQdWJsaXNoZXIy MTgwMjYzOA==